Author: Asia discusses the IT article origin: Asia discusses IT
IDS is English “Intrusion Detection Systems” the abbreviation, Chinese meaning is “the invasion examination system”. In the specialty says defers to certain security policy, to the network, system's movement condition carries on the surveillance, discovered as far as possible each kind of attack attempt, the aggressive behavior or the attack result, guarantee the network system resources the confidentiality, the integrity and the usability.
We make a vivid analogy: If the firewall is a building door lock, then IDS is in this building supervisory system. Once the thief crawls the window to enter the building, or the internal personnel have cross the border the behavior, only then the real-time supervisory system can discover that the situation and issues the warning.
In essentially, the invasion examination system is one typical “spies on the equipment”. It does not bridge many physical webpages (usually only then a monitor port), does not need to retransmit any current capacity, but only needs the text which in the network passive, the non-sound collects it to care then. To text which collects, invasion examination system extraction corresponding current capacity statistics characteristic value, and using the built-in invasion knowledge library, carries on the intelligent analysis with these current capacity characteristic quite to match. According to the preinstall valve value, the match coupling degree high text current capacity will be considered will be the attack, the invasion examination system will act according to the corresponding disposition to carry on the warning or carries on has the limit counter-attack. The invasion examination system's principle model like chart shows.
The invasion examination system obtains on the network continually road through the monitor current capacity copy hspace=0 src= " /Article/UploadFiles/200507/20050728213648665.jpg " align=baseline border=0>
The invasion examination system's work flow divides into the following several steps approximately:
(1) the collection of information invasion examination's first step is the collection of information, the content including the network current capacity content, the user connection condition and the behavior.
(2) the signal analysis to the information which above collects, generally carries on the analysis through three technological means: Pattern matching, statistical analysis and complete analysis. And the first two methods use in the real-time invasion examination, but the complete analysis uses in analyzing afterward.
The concrete technical form as follows states:
Pattern matching
The pattern matching is the information which and the known network invasion and the system collects misuses the pattern database to carry on the comparison, thus discovered that violates the security policy the behavior. This process may very simple (for example seek for a simple clause or instruction through character string matching), may also very complex (for example use regular mathematical expression express secure state change). Generally speaking, one kind of attack pattern may use a process (for example to carry out an instruction) or an output (for example obtains jurisdiction) to express. This method's big merit is only need collect the related data acquisition, obviously reduces the system burden, and technology already quite mature. It the method which uses with the viral firewall is the same, the examination rate of accuracy and the efficiency are quite high. But, this method existence's weakness needs the hacker attack technique which the unceasing promotion copes with appears unceasingly, cannot examine has never appeared the hacker attack method.
Other pages: : 1 * 2 * Next>>
|
You are here: hacking technology
> invades the examination
> Content
Category: Home
> invades the examination